Amid growing fears of stolen credentials and data breaches, the FIDO Alliance released its long-awaited 1.0 specifications for passwordless and multifactor authentication systems.

An upstart effort to foster standards for online passwordless and multifactor authentication today made its specifications official -- a move many vendors hope will be the watershed event that sparks widespread adoption of MFA and results in the death of the password once and for all.

The FIDO Alliance announced the ratification of version 1.0 of its Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) specifications, the first official versions of its burgeoning standards for enabling interoperable MFA for any number of Web or mobile authentication scenarios, as well as biometric authentication with fingerprint readers, voice scanners or even facial-recognition systems.

A non-profit vendor consortium led by the biggest names in tech including Microsoft, Google, PayPal Inc., and many others, the FIDO Alliance was formed two and a half years ago to lay the technological groundwork for advanced forms of passwordless authentication. While a number of vendors have developed one-off architectures in recent years, FIDO sought to not only foster default integration between websites, authentication products, smartphones and payment processors, among others, but also make non-traditional authentication easy for end-users.

Phil Dunkelberger, CEO of Nok Nok Labs Inc., a Palo Alto, Calif.-based company and FIDO founding member, said that FIDO members' vote to ratify the 1.0 specifications, thereby granting members the opportunity to build and sell products based on the specification, is proof of the success the industry consortium has had in gathering and implementing the input of more than 150 member organizations and nearly 20 beta implementations.

For those data breaches where authentication was the weakest link, FIDO will definitely play a role in prevention.
Andras Cservice president and principal analyst at Forrester

"I think about being in a room with a white board," Dunkelberger said, referencing his many early meetings two-plus years ago with would-be FIDO members. "We wouldn't have had the success we've had without being able to demonstrate that it works."

"Now that the specifications are released, I think some of the more risk-averse OEMS will explore the technology," said Art Stewart, vice president of the biometric division at Synaptics, a FIDO Alliance board member based in San Jose, Calif.

Andras Cser, vice president and principal analyst at Cambridge, Mass.-based Forrester Research Inc., believes the specifications will help drive significant interest in FIDO, especially in light of the number of high-profile corporate data breaches tied to stolen credentials.

"I think FIDO 1.0 is the first step in the direction of creating a uniform and application-independent authentication and strong authentication ecosystem," Cser said. "It provides a great abstraction layer to hide all the complexities of two factor authentication. For those data breaches where authentication was the weakest link, FIDO will definitely play a role in prevention."

How FIDO works

In describing the role of FIDO-based technology, Dunkelberger said it's like "a feeding mechanism for identity systems," like directory and single sign-on systems, which ensure smooth, secure MFA sessions for users with FIDO-compatible technology.

Both the UAF and U2F protocols are based on public-key cryptography. The UAF protocol allows the user to register a UAF-enabled device with a FIDO-ready server or website, authenticate their identity on their device with a fingerprint or PIN, and log in to the server using a secure public key. The U2F protocol, which was originally developed by Google, is designed to augment passwords for browsers, online service providers and operating systems by authenticating users with a strong second factor, such as a USB touchscreen key.

"Passwords simply aren't good enough for authentication today," said John Salter, COO of identity protection vendor Yubico, a Palo Alto, Calif.-based board level member of the FIDO Alliance,. "Even if the passwords are strong, the cost of managing them and resetting them is expensive."

In addition to password cracks and stolen credentials, Salter said phishing attacks have also driven more interest and awareness in FIDO technology, specifically U2F products like Yubico's Yubikey public key device. "Phishing is an issue for a small number of people, but those people are very influential and the attacks on them can do a lot of damage," Salter said.

The alliance released a draft of the proposed 1.0 specifications earlier this year; the final 1.0 release included several key changes, including the addition of application ID checking to allow the application and URL key sharing for both UAF and U2F protocols.

For future versions of the U2F specifications, Salter said the FIDO Alliance will look to expand transport options beyond USB.

"We're exploring Bluetooth and NFC (near-field communication) so the technology can be used in devices like smartphones and tablets," Salter said, adding that Yubico has already deployed U2F on NFC with one client.

FIDO end-user technology today/tomorrow

At the heart of FIDO technology is public-private key-based encryption, a security technology that Dunkelberger -- former co-founder and CEO of PGP Corp., which was acquired by Symantec Corp. in 2010-- called sound and fundamental to secure authentication.

One of the additions to the 1.0 version of the FIDO specification is the use of a "secure element" -- a private key repository residing only on the end-user authentication device -- to validate the device. The concept, essentially a form of tokenization, has recently gained notoriety via Apple's use of a similar technology in its Apple Pay software.

In fact, online and mobile payment systems have played a crucial role in the development of FIDO's specifications, Stewart said. "That's been by far the biggest industry supporting [FIDO]," he said.

Stewart also said that while several alliance members already have FIDO-ready products for UAF and U2F protocols, there is plenty of room for additional companies to develop more, whether they are actual authenticators or complementary products for such a thing as encryption key management.

"There's a tremendous amount of activity around FIDO already," he said, "and I think the added competition will be a good thing."

Despite the notoriously slow progress of most IT industry standards efforts, FIDO has, in just two and a half years, gone from little more than a vague concept to a set of standards embraced by dozens of tech's most influential companies.

Dunkelberger said that rapid progress is evidence not only of how well the industry can work together to foster sensible standards, but also of how eager FIDO's many stakeholders are to usher in an era in which passwordless authentication becomes the norm.

"To me, this was the real bet: Can the industry come together to solve the stolen credentials issue?" Dunkelberger said, citing the role compromised password-based credentials have had in numerous high-profile breaches. "Eventually this [non-password-based authentication] will be like fluoride in the water; it'll be built in and just be there."

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

FIDO is expected to make sure that the vendors of biometric products operated together with passwords by OR/Disjunction (as against AND/Conjunction common for 2-factor authentication ) should explicitly publicize that

(A) The biometric product raises the convenience at the sacrifice of security when the user keeps using the same password.

&

(B) The biometric product raises the convenience without sacrificing security when the user changed the password to a largely-harder-to-break password (with a footnote that the password should be remembered, not carried around on a memo and that the password should not be reused across other accounts.)

Incidentally, it should be noted that it is not possible to compare the strength of biometrics with that of passwords. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious/sleep) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)